Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-a7fd-nsys-qub1
Vulnerability ID VCID-a7fd-nsys-qub1
Aliases CVE-2024-47821
GHSA-w7hq-f2pj-c53g
PYSEC-2024-302
Summary pyLoad is a free and open-source Download Manager. The folder `/.pyload/scripts` has scripts which are run when certain actions are completed, for e.g. a download is finished. By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. A file can be downloaded to such a folder by changing the download folder to a folder in `/scripts` path and using the `/flashgot` API to download the file. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. Version 0.5.0b3.dev87 fixes this issue.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.01807 https://api.first.org/data/v1/epss?cve=CVE-2024-47821
cvssv3.1 9.1 https://github.com/pyload/pyload
cvssv4 8.5 https://github.com/pyload/pyload
generic_textual HIGH https://github.com/pyload/pyload
cvssv3.1 9.1 https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
cvssv4 8.5 https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
generic_textual HIGH https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
cvssv3.1 2.3 https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
cvssv3.1 9.1 https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
cvssv4 8.5 https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
generic_textual HIGH https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
ssvc Track* https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
cvssv3.1 9.1 https://nvd.nist.gov/vuln/detail/CVE-2024-47821
cvssv4 8.5 https://nvd.nist.gov/vuln/detail/CVE-2024-47821
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2024-47821
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-47821
https://github.com/pyload/pyload
https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
CVE-2024-47821 https://nvd.nist.gov/vuln/detail/CVE-2024-47821
GHSA-w7hq-f2pj-c53g https://github.com/advisories/GHSA-w7hq-f2pj-c53g
Data source Metasploit
Description CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74 is the latest version of js2py which was released Nov 6, 2022. CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source download manager designed to automate file downloads from various online sources. Pyload is vulnerable because it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint. This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we can bypass this restriction in order to access the API to achieve unauth RCE.
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
  - artifacts-on-disk
Ransomware campaign use Unknown
Source publication date Oct. 28, 2024
Platform Linux,Unix
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pyload/pyload
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P Found at https://github.com/pyload/pyload
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P Found at https://github.com/pyload/pyload/commit/48f59567393a19263c8a0285256a7537dc9ce109
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N Found at https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P Found at https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-28T17:19:04Z/ Found at https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47821
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P Found at https://nvd.nist.gov/vuln/detail/CVE-2024-47821
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83188
EPSS Score 0.01807
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:22:25.441175+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2024-302.yaml 38.6.0